You’d think that organizations would have learned by now. But as last week’s news of the Anthem breach shows, hackers still find it too easy to steal critical information from high-profile companies. A disturbing dimension of all of this is that too often, organizations have the proper security and privacy controls in place, but there’s just one problem: They fail to properly enforce them.

According to research recently conducted by the Ponemon Institute and sponsored by Zimbra, a provider of commercial open source collaboration software in Frisco, Texas, 44 percent of organizations fail to enforce security and privacy protocols. In an interview following the release of the study’s findings, I asked Olivier Thierry, chief marketing officer at Zimbra, to what he would attribute this lack of enforcement. He cited the bane of every IT manager’s existence: shadow IT.

“At the end of the day, most employees are simply trying to be more efficient and productive in their jobs by using tools that are more user-friendly,” Thierry said. “Shadow IT has rapidly expanded businesses’ digital footprint beyond IT’s control, which is making policy enforcement increasingly difficult.”

One problem, Thierry said, is that widely deployed legacy products are designed to provide IT with control over businesses’ information infrastructure, but not the user experience.

“The user experience is usually degraded further when security and privacy enhancements are implemented,” Thierry said. But he indicated that’s changing. “The applications being designed today are essentially a revolt against the IT-first mentality,” he said, “and user experience takes the lead during development.”

Unfortunately, Thierry said, most of these applications forget security and privacy along the way.

“Luckily,” he said, “vendors are beginning to rethink the whole application layer, or taking steps to improve existing solutions, taking into account the user and the need for improved security and privacy.”

Zimbra’s collaboration software is built on a commercial open source foundation. Thierry argues that with open source, IT gains flexibility and control, while we all benefit from improved security and privacy.

“Many commercial open source vendors are finding elegant ways to marry security and privacy with a mobile-first, cloud-enabled user experience,” he said. “The survey showed over half of companies are planning to overhaul their messaging and collaboration solutions. Given the trust in commercial open source, many of these organizations will evaluate how open source’s benefits map to their specific business needs.”

Thierry highlighted the code transparency of Zimbra’s software in this context, so I asked him why a company would even need code transparency into whatever collaboration suite it adopts.

“Code transparency gives IT the power to confirm that the solution it deploys has no bad code, backdoors or hidden components,” he explained. “As privacy and security are paramount for many companies, this ability to trust the vendor, but also verify, will drive greater trust across the open source community.”

Thierry went on to provide some key tips for preventing a compromise when transferring secure data:

It is an absolute must that information be stored and transferred securely and privately, chiefly through the application of cryptographic mechanisms.

Access control and identity management are also measures that should be put in place, including two-factor authentication, rights, and authorization management.

Understanding data locality is increasingly becoming a necessity, as regional and national governing bodies put data protection and privacy regulations in place.

Maintaining compliance, as it applies to your company, is a minimum nowadays.

In addition, Thierry said, it’s important to keep in mind that popular file sharing and collaboration applications are popular for a reason.

“Their user experience and simplicity are superior to legacy approaches,” he said. “Organizations should look to take advantage of the efficiency and productivity benefits these solutions provide, but in a manner conducive to ensuring privacy and data protection.”

A contributing writer on IT management and career topics with IT Business Edge since 2009, Don Tennant began his technology journalism career in 1990 in Hong Kong, where he served as editor of the Hong Kong edition of Computerworld. After returning to the U.S. in 2000, he became Editor in Chief of the U.S. edition of Computerworld, and later assumed the editorial directorship of Computerworld and InfoWorld. Don was presented with the 2007 Timothy White Award for Editorial Integrity by American Business Media, and he is a recipient of the Jesse H. Neal National Business Journalism Award for editorial excellence in news coverage. Follow him on Twitter @dontennant.